Thanks a lot, Julio, for proposing this recurring contest. I think your post will get more attention if you prepend the title with ‘SIP 12’. I like it, but maybe you could add some criteria to the proposal giving a judging guideline for the jury? To reduce arbitrariness, we could e.g have a formula giving the points of a participant depending on the number of bug reports and the severity of the reported issues. then, the jury would just need to decide on severity and which reports are valid.
Why are you proposing to let the reporters sign a message to verify their address?
I think the prizes are a bit on the high side. You’re suggesting an ongoing program. So, we’d also need to pay these rewards even if no relevant bugs are found. Maybe the SIP should include some minimum requirements for the bounties to be paid as well?
1.- First prize is of 120 SOV, second 60 SOV, third 40 SOV; for a monthly award of 440 SOV… If it is still too much, just comment and we can reduce it even more.
2.- This practice (requiring a signature) is expected to prevent any dispute (by that moment or in any future) between users over the ownership of any report, and give the jury a proof that the address receiving any award corresponds to the maker of the winning report. (Let’s remember that these award-transactions are irreversible).
3.- A score table with a criterion for the assesment of the reports was included.
This is a very important initiative, because as you explain in your proposal Sovryn is a sum of development and action. When users discover issues, they can either keep silent or make them public.
To achieve the latter requires generosity, motivation or both. Therefore, rewarding users’ engagement with Sovryn may be the right strategy because recognising the value of the help helps at the same time to give value to Sovryn.
I have these questions:
What is the channel for communicating bugs?
What if there are several users reporting the same bugs at the same time in parallel?
is there a log of reported bugs that everyone can observe to know if they were already reported and even the progress in solving them?
Maybe there are ten users who have discovered bugs, but since there are three prizes, seven will not be rewarded. Maybe those seven bugs are more important together than each of the first three individually. However, they will not be rewarded.
It is a very interesting question set, and it could be solved with the most important technology ever: the very blockchain.
This additional solution could be added as part of the proposal: the user can create a report, get the hash value of the report, and send a transaction with the hash of thier report in the data field. Even a smart contract is not required!.. look at this testnet transaction I did to myself with the data 0xc3e24ffb055674ff4c3a053a57386262d25846d988151e887acb48652483d440 :
The order in which the reports are confirmed in the blockchain may solve the potential dispute over who was the first on what, then each user without rush can file the original report to a jury channel in discord, toghether whit the transaction with the proof of author rights of the report; and then the jury will evaluate each report deciding for a winner.
The signature would no longer be needed coz, the user already had to sign the transaction to file his report.
An idea to develope a little bit more and then to include in the proper SIP. I hope other members on the forum can check these mad ideas.
As regarding your question N°4, the winner reports should be the most useful ones, so the winner reports are expected to gather the largest amount of bugs in them.
Sadly if there are allowed more than 3 prizes, the proces turns too complicated.
I think there’s a really good proposal in the making here, good job @juliomoros… Forgive my ignorance but how long are the Sovryn sprints (makes a difference in assessing how reasonable the prizes are)?
My only suggestion is to consider a small additional prize, determined by a lottery of all addresses that submitted a report of sufficient quality (there would need to be a minimum number of entries and the lottery can’t be won by those already claiming a prize)… Just think there’s value in providing a small incentive to those who look but don’t necessarily find.
The amount of work to be done by the jurors will climb into hours if not dozens of hours per month as time goes on, it will be hard to motivate the jurors to properly do the due diligence the check every report, then criticize the bug report, score every aspect of the bug report, check if the user signed a message, then talk to the other jurors and once you finally come to a conclusion you have to sign a multisig to send the bounty.
Point is that you are asking alot from these jurors for what is basically volunteer work, and at that you are giving 3 people the power to distribute 440 SOV a month (currently around 2k usd). If they are not financially incentivized, collusion might be an issue.
I agree with you that should be there an incentive for jurors; and the common answer I’ve received from most of the people I’ve asked in private to be one of them is that they are too busy… We are all supposed to be very busy, and this extra activity as jurors, is outside our duties within Sovryn day-by-day work.
By the other hand, I know the Sovryn team, and all of us are amazing… (my personal opinion), and I think all of us love our work, and the reason why we are here, and I see a collution as something very unlikely; however, the extra effort it would take should be incentivized; as @yago mentioned in the last community call here: https://youtu.be/X7_rqBdAQIo?t=2719
I may suggest to award each jury member with 100 SOV tokens per month, for a total of 300 SOV tokens per month for jury members.
Another important thing is to make this a proposal just for 1 quarter; e.g. from April the 1st to June the 30th. Things in Sovryn are changins too fast as to pretent set a monthly undefinite program like this.
I’d like to see some comments before include these changes in the SIP-0013 draft. Thank you very much.
Disclosure: @juliomoros asked me to be one of the jurors, and these are the questions i raised which he suggested i post to the forum for consideration by others:
There DOES seem to be quite a bit of focus on form and process, are you sure you’re not going a bit overboard? Could this be simplified to decrease the workload, as mentioned by sway? Regardless of compensation incentives, this could really be a lot of work that could create conflicting priorities in a juror’s responsibilities.
how many bug bounty reports do you estimate receiving realistically per sprint?
could we combine the process to only happen every second sprint, but combine the sprints in the judging?
are you SURE that we are better running a bug bounty program ourselves rather than using gitcoin?
i guess an argument for running a testnet bounty contest is that we identify bugs and inconsistencies in the UI / UX earlier, and identify exploits earlier saving the project time and money when it’s a mainnet deploy, but why would we use such a program, if in place, only for testnet?
One of the things you mention is using the BBP as a hiring pipeline for obviously talented people, and indeed, that has bounty programs have proven to be one of the best ways for onboarding talent in the cryptosphere, which makes me think that your proposal would best be serve sovryn by being expanded in scope, rather than minimized to a single aspect of our products / code.
@yago reached out to @stefan regarding using gitcoin as a hiring pipeline last week, who reached out to me. The thing about running bounties over gitcoin is that it needs someone dedicated to managing the user account, process, content, as well as promoting it’s existence on social media channels etc to get traction and attention. Just “having” bounties doesn’t mean they get looked at - even here one faces competition for available resources and attention.
So, when i see your dedication to (and the quality of) this proposal, i’m starting to think that it should be expanded in scope and budget, and run over gitcoin as a monthly program incorporating the two sprints
Would you be willing to be responsible for this, if we did so? Would you have the TIME to do so amongst your other responsibilities for Sovryn?
Take a look at the gitcoin process here: Quickstart | Gitcoin , b/c it covers all of the necessary steps we’d have to duplicate for an internal program.
Running an inhouse test-net bounty program is a project in itself that needs a dedicated team to analyse any incoming reports. Nevertheless, it highly desirable to have one such program running in order to prevent any errors that might affect the project reputation
It makes more sense to award the prizes on a monthly basis. Firstly, that is a standard promotion structure used in various industries across the board and, secondly, it is easier to manage it from the operational perspective. In order to sweeten the deal, the prize structure can be expanded to 6 monthly rewards.
I would not market such a “competition” as a permanent one right from the start. I would rather announce it to last for a couple of months and reconsider it further down the line.
Gitcoin is a platform that might make the entire process easier for the reviewing team. Also, that will facilitate the program expansion to all bugs categories. But, that needs an active and tech-savvy admin.
Definitely agree with this proposal. Regular public testing should be encouraged and incentivised. I like the revised reward amounts but agree with other comments that there should be a scoring system, with a minimum threshold to pass eligibility for a reward.
Whether this is the right approach or not, I believe there should be some sort of test system in place going forward.
As for the comic sans. I would like to suggest a separate proposal SIP to make all of Sovryn use comic sans from now on.